Malware Analysis Report

2025-01-22 19:22

Sample ID 240807-zj32dstfjp
Target 2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat
SHA256 bbf2226c9443f2634fe8a4d38ce483f04e5ac842f4c9ef0fb3fae307e2c22f67
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbf2226c9443f2634fe8a4d38ce483f04e5ac842f4c9ef0fb3fae307e2c22f67

Threat Level: Known bad

The file 2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

Cobaltstrike

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 20:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 20:45

Reported

2024-08-07 20:48

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rDreWbx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bZzcaMg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\otlDeAF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WCaHcGE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uXmRCHH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qgcORui.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xtGiAOO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dFiKvqq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KgedotH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gkHBXqY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OEoWvcW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MgaWYvl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jagsQZO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rZfsyZY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DfGexrZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UJjNtqb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\enVsYLm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LlToKnI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pQamAyj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PcNtlnF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oHetrLN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3668 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rDreWbx.exe
PID 3668 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rDreWbx.exe
PID 3668 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgedotH.exe
PID 3668 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgedotH.exe
PID 3668 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkHBXqY.exe
PID 3668 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkHBXqY.exe
PID 3668 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DfGexrZ.exe
PID 3668 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DfGexrZ.exe
PID 3668 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEoWvcW.exe
PID 3668 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEoWvcW.exe
PID 3668 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MgaWYvl.exe
PID 3668 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MgaWYvl.exe
PID 3668 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZzcaMg.exe
PID 3668 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZzcaMg.exe
PID 3668 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UJjNtqb.exe
PID 3668 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UJjNtqb.exe
PID 3668 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WCaHcGE.exe
PID 3668 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WCaHcGE.exe
PID 3668 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jagsQZO.exe
PID 3668 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jagsQZO.exe
PID 3668 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZfsyZY.exe
PID 3668 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZfsyZY.exe
PID 3668 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\enVsYLm.exe
PID 3668 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\enVsYLm.exe
PID 3668 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXmRCHH.exe
PID 3668 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXmRCHH.exe
PID 3668 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgcORui.exe
PID 3668 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgcORui.exe
PID 3668 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LlToKnI.exe
PID 3668 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LlToKnI.exe
PID 3668 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xtGiAOO.exe
PID 3668 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xtGiAOO.exe
PID 3668 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otlDeAF.exe
PID 3668 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otlDeAF.exe
PID 3668 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQamAyj.exe
PID 3668 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQamAyj.exe
PID 3668 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dFiKvqq.exe
PID 3668 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dFiKvqq.exe
PID 3668 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcNtlnF.exe
PID 3668 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcNtlnF.exe
PID 3668 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHetrLN.exe
PID 3668 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHetrLN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\rDreWbx.exe

C:\Windows\System\rDreWbx.exe

C:\Windows\System\KgedotH.exe

C:\Windows\System\KgedotH.exe

C:\Windows\System\gkHBXqY.exe

C:\Windows\System\gkHBXqY.exe

C:\Windows\System\DfGexrZ.exe

C:\Windows\System\DfGexrZ.exe

C:\Windows\System\OEoWvcW.exe

C:\Windows\System\OEoWvcW.exe

C:\Windows\System\MgaWYvl.exe

C:\Windows\System\MgaWYvl.exe

C:\Windows\System\bZzcaMg.exe

C:\Windows\System\bZzcaMg.exe

C:\Windows\System\UJjNtqb.exe

C:\Windows\System\UJjNtqb.exe

C:\Windows\System\WCaHcGE.exe

C:\Windows\System\WCaHcGE.exe

C:\Windows\System\jagsQZO.exe

C:\Windows\System\jagsQZO.exe

C:\Windows\System\rZfsyZY.exe

C:\Windows\System\rZfsyZY.exe

C:\Windows\System\enVsYLm.exe

C:\Windows\System\enVsYLm.exe

C:\Windows\System\uXmRCHH.exe

C:\Windows\System\uXmRCHH.exe

C:\Windows\System\qgcORui.exe

C:\Windows\System\qgcORui.exe

C:\Windows\System\LlToKnI.exe

C:\Windows\System\LlToKnI.exe

C:\Windows\System\xtGiAOO.exe

C:\Windows\System\xtGiAOO.exe

C:\Windows\System\otlDeAF.exe

C:\Windows\System\otlDeAF.exe

C:\Windows\System\pQamAyj.exe

C:\Windows\System\pQamAyj.exe

C:\Windows\System\dFiKvqq.exe

C:\Windows\System\dFiKvqq.exe

C:\Windows\System\PcNtlnF.exe

C:\Windows\System\PcNtlnF.exe

C:\Windows\System\oHetrLN.exe

C:\Windows\System\oHetrLN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3668-0-0x00007FF642180000-0x00007FF6424D1000-memory.dmp

memory/3668-1-0x000001BC7B0E0000-0x000001BC7B0F0000-memory.dmp

C:\Windows\System\rDreWbx.exe

MD5 94f9e8681896040fe052c2b6774b6d39
SHA1 9cc638d6a6d0c3549f213bd30faf5ee003d4bd36
SHA256 bd2f1e4fe0c5d6d85fdfc314a40292dd9563c341a3848ea629a4e0e092dde2fa
SHA512 d7724887638545e2cd83fd201ce943691eb231e8be8cc9676b88bd1b3d1ba137956a245c177a591a018c592ae72b62898567ca1b1fd79e3e7d439179d7fdeadf

C:\Windows\System\KgedotH.exe

MD5 7dce01c238d782a548ad2a27441e00c0
SHA1 cc1ed97be0ed9ba95efbe669aedbb28be6f2fe3b
SHA256 411f3a1828a1e85b8a3d0beacae536c39dc0c86bf927b1467c47548ba0e551f9
SHA512 13df6385ebac53f0b2b7a7994cdce41764442a8951fa744ae9e086480242bb4830fb378e317bc135325d65604570950ecade1ce3e5ee47bb2c6116b2aa54fb31

C:\Windows\System\gkHBXqY.exe

MD5 7642514366c7b9b7412ab58993a10384
SHA1 c3a8e3c2404277ae5bd1c631c2280582b7342c25
SHA256 8393ec04ae9b390efa2786684d77b53f62e3847b9eec4fa4fbb73e1e9f9740c8
SHA512 0f417c35f38d926e457f14630aa90d9ba35055befb75ec1d4f441056073e9a62b909390e2ceb41b9013e6c82424d07a657552df70f7bc7b4ff67873c131894a0

C:\Windows\System\DfGexrZ.exe

MD5 faded8c1a7231a672e5575fa62e868f1
SHA1 5f2df030f7d6864ec0b4641b55cd8fdffcf2e5fa
SHA256 6b324a815359797bf7d4cee45ce739a89ed8f99df8db70c1e51154d7b5b9471c
SHA512 01d42e72d57df2e8501445b530212436f013d93638bada2119de33d61eb0a3b34e1b1d84cd0ebb85d7226e26f236d245310b729df70db80780f2efdd29c88782

C:\Windows\System\bZzcaMg.exe

MD5 2515ccba41d950f2bfc9d7d98334d44f
SHA1 2049e40b65d8fe4df7a85b095fcb2fb95bd4be41
SHA256 925aa1b31c78e56ffa640b129553be1302cca3f22e9d9e40fab165cd807a94af
SHA512 350889bdd5843aa931eafdd916001e3fe98fb1e5909f3995da1dc5becb2073c45687318277d101d4fed26232e868ccc83da3766bee1a350d511632fcf6daa9ed

C:\Windows\System\OEoWvcW.exe

MD5 977cb2b59d316bef11d5b728ea694873
SHA1 4e4e0acebae7e871d7cb2757c5ccefee72c748d1
SHA256 a119df5c0c200e7ca54cfb46bf0977451e18911bd2a3bd1c126164a3df485970
SHA512 1db6220fe1be112ed35f18069460d45c5166c81675ec145c1560e6f0594978e7d90e6bd228a71025927ea55c2f6f424121ca0d463e292ce828c3a1dc3c6dab32

memory/1680-60-0x00007FF6FE730000-0x00007FF6FEA81000-memory.dmp

C:\Windows\System\rZfsyZY.exe

MD5 8fd3e2b1a25a35a546f8b9ecd31b75ca
SHA1 02c2614d5870ebed2adfc4fcfd3686194b4a3bb9
SHA256 2e56812e4485bb59f58abfe9c86980247ea9753f53909435a9473d804d2a6873
SHA512 39914ff02297f41a687a0c1d8d78696ea20c355e572ab8ceb5dda47fc40f3fa428d73006433740087ca693e4ab4c885b68cb0a14cb67629a2b5ceb90b515c1e0

C:\Windows\System\qgcORui.exe

MD5 fa62c194fc1d07d1f85210e9400be9da
SHA1 b34a54bca9a3e76cb7df53d32022ac1a88aaebe8
SHA256 73817f7f5a8315ae19ac8e0355f09237256a0734b29362d8c6c97b9e31f1fa55
SHA512 399f3c2a02acf55aa153fabe95ad7798bd47dcd3bdcf1e8d3a756f5cefca223d5ea07538414073559580661de9b732281fca1b0d2ff3d034c57078f3af2adfcb

C:\Windows\System\pQamAyj.exe

MD5 b9f3fc969e3e90416496cad59e8624fc
SHA1 30abea7afcd8e43a7010bc4044e4ba4b257b38d6
SHA256 d7384023dd1f6ea2124b47cc6282af0225b5ab1999a8b65d6a65db68499c3c33
SHA512 d883b89151c14a294c99bb4e2bc644cfd613fd54297b3e5125c6168eb9964ca1d1714e5c54724c1bc59ac388e56e4ac65ebc3694eb001e6d0650eb33410421aa

C:\Windows\System\dFiKvqq.exe

MD5 d1ffe2edac9ddd9ac34488898964541e
SHA1 65884b1d1328291602cb4d7720cfbee1ba8ee82b
SHA256 f042e104b933dadaeb3696dd961489a8314ae4ae92cba2dcbebc2a1a17bff17c
SHA512 737422cf6a85bae93388a41f42f59c207767f2b384ddda30219c05f305e40e970af8b53e6f458623242864e2db7def172e666c04ba48861c1bfc591818483fd5

memory/4268-119-0x00007FF730DE0000-0x00007FF731131000-memory.dmp

C:\Windows\System\oHetrLN.exe

MD5 ff4d7829df74fee3e31035d0355fdf12
SHA1 0890b254165c65d2d0c1e509bd4b8d2f9f7b165f
SHA256 800d218784ddff13f9f1cb11a96a2fcb33e2dfb4a65dbed8c7fba99f8f205b83
SHA512 e2d27754fc7639f15852841d8ffad655607c8f77b6bfb02171cf11c71fd56b749f1f41da59a15d76b5cb5d5f03ac37c6aeb2ed561c10f7b21360e3ce9f4f5c69

memory/3152-122-0x00007FF6E6360000-0x00007FF6E66B1000-memory.dmp

memory/4000-121-0x00007FF625BF0000-0x00007FF625F41000-memory.dmp

memory/3452-120-0x00007FF611EA0000-0x00007FF6121F1000-memory.dmp

memory/1640-118-0x00007FF64A3E0000-0x00007FF64A731000-memory.dmp

C:\Windows\System\PcNtlnF.exe

MD5 482f9f4f9818e1b9683bb59949aa9dc8
SHA1 cdf47c6e7e4ae187bc89fbdca41d0c54ad14b311
SHA256 d1686f47c4f21f508cb8985d64dabab1bee2f29668d9ff9b7d5c9d0603c5f08b
SHA512 e421e606cb1610d20dc98565cd742a6b5eef4267a184bdcfff4e1a2e124a549d03349f5aee0524df643f8da7cdf5fa798eb7d807ff2423b0037de11206e6da00

memory/4168-115-0x00007FF693200000-0x00007FF693551000-memory.dmp

memory/896-112-0x00007FF75E0F0000-0x00007FF75E441000-memory.dmp

memory/1860-111-0x00007FF791DB0000-0x00007FF792101000-memory.dmp

C:\Windows\System\otlDeAF.exe

MD5 13c28dbffac2be4a694f8ff9784af630
SHA1 9515187848e5d05ef1222d126cc66e42f74545ee
SHA256 50b270f75b6c5c5b27267092bf27b8095ad32c306bd730103330652bedb3f626
SHA512 1facbaa9d620356463e5d9860e85f5ea614ff192b78e4f9e09ee73cf0dbe6169d9c81f220ab0efbbefdd9f1f5a0bb8288d6132b67a442c96b6c14fc8d4144c1a

C:\Windows\System\xtGiAOO.exe

MD5 315fcfa3d183de56e8b74cb52db8a9d4
SHA1 fd7fad7fbedac743fe9793c4b4d68f8dda925b37
SHA256 13c672cd700fb3008956586e359220e53630c43129c7d5bd9a2df1e1a8136c19
SHA512 b32f14b99ee28e5fa2dee89abc72952beb8f07ae63c462bc23cd6fe9321a33db86087579d8de376e5e569bbfbeaf007528eee15aba8f4e9d281bc6d159cb264b

memory/820-103-0x00007FF6BD970000-0x00007FF6BDCC1000-memory.dmp

memory/2020-97-0x00007FF6F0550000-0x00007FF6F08A1000-memory.dmp

C:\Windows\System\LlToKnI.exe

MD5 eebc6935c32c9ab68154b01d080de08d
SHA1 bb5efcec91ffb92fa36fac4527a8773939f4f8cf
SHA256 814d673bc71d76de619f1509c1be2767b916f567f43e0187441e052ca7ab36d8
SHA512 b222cf81579513a9396e2fde3a7319646923f03925e11447b25b3799dcce6702cfd09c02e408adabd109f9b5f59b1f4fa588a5d74e4b9fa04be81c414e871e0b

memory/3112-95-0x00007FF6939E0000-0x00007FF693D31000-memory.dmp

C:\Windows\System\uXmRCHH.exe

MD5 864578222c85c3c81f6914a1a463468b
SHA1 67a3386d011dcef8b35a3879403497f8c1a0697c
SHA256 5ac5cd7dcc701bc706280b2f6241ddcb4faf5a50908ddd907df5f07bde36120e
SHA512 e5fd22a5853aada4d47439000e3fd5ddffcc24ef73227db257d05c6cf40e24e8ee2c26bb78dc39693f2a6c19c06f13f770d22dc15cbe9af05a929e5806d08fd2

memory/1812-81-0x00007FF634690000-0x00007FF6349E1000-memory.dmp

C:\Windows\System\enVsYLm.exe

MD5 49043d3c192727315d4f7b5c6ad7af14
SHA1 245ee0bf7cbccf826c30962ef352f9a9a65c9e32
SHA256 58b8831596f632d757b5aee54d74bee689e5f236af06178ed80af53f4c27c32d
SHA512 c87c0d41a7d87165d0d6b6a8b363feb9a29c7efe1ecd6a330ae9c4d5b790f3aeb2e944dad2cf48e50c216d7d775f7c3bd9487e4311452031e8ef3c34fb0842fe

C:\Windows\System\jagsQZO.exe

MD5 5a076b0d86a9a47c0c9fb019d8630d7c
SHA1 f53faeb59b6e8a8375aef6ca5308def294cecfc9
SHA256 935cf05b63ce6716dc5ca8e247cd21fb4c4fcaf0d0bb2abedabfd279177dfff6
SHA512 b814f7acd833ae345f95192893c493a3fb3371101f81e377aa615a459cda191d899cac3014a0ae9348706b8fbaefe5b2b7fd8d65b4021f6b1dc4ce224e3f2516

C:\Windows\System\WCaHcGE.exe

MD5 48a8d57cef6736ef22604d053b72dcbe
SHA1 16d5355b581018d3e0541abddec69f941b9aa83a
SHA256 85b3f7c3106f4b0e52349d6c2373610390bbfc1c5b1cdce0b47247e183c30751
SHA512 c58a697d65f34aef82c394e628553c4cdbb43fa26055a64854b050525ed8a2f99cf16f4093fbaa1929ec2e14545c3f98933c6d4a60e227e61ba8f03075092f06

memory/4824-50-0x00007FF664770000-0x00007FF664AC1000-memory.dmp

C:\Windows\System\UJjNtqb.exe

MD5 513242886bdb1e7d990e889b653b08b4
SHA1 f8cf1496a8bc494bfc91358432693dd00adb2353
SHA256 26a3764384240ff809fac45c8f770433aeb1dc3d5476e4dbe382ebc62645d1d7
SHA512 62df2ee048276df7362975aeebfca844fbb94e39d31b60eeb99ea63e8b04724760a6a677816e549d9124d8a9b3f469502e64bb9bef24990120f3a5c5fb6f578a

C:\Windows\System\MgaWYvl.exe

MD5 b303228bad6882329fd7c41a51acfc4f
SHA1 4f97b804678a08ddd490b50dc429e14ef75a7914
SHA256 b6efeab105c8d8acd68018a5681d14e4641dd44221ce49cd1a14aa4fc64b1c6b
SHA512 d9225978f034db5b0a09afccfe4d02a01295bcecdd19d9d6e31d87f2cd21fbd152714e64255e7a7befbbcffd9081f41ba37ba68d553d7bb3f300392fda2a7ce9

memory/2300-42-0x00007FF63DB90000-0x00007FF63DEE1000-memory.dmp

memory/440-35-0x00007FF714C80000-0x00007FF714FD1000-memory.dmp

memory/2852-34-0x00007FF632AA0000-0x00007FF632DF1000-memory.dmp

memory/5076-27-0x00007FF6F0AA0000-0x00007FF6F0DF1000-memory.dmp

memory/2532-26-0x00007FF6A1710000-0x00007FF6A1A61000-memory.dmp

memory/2148-10-0x00007FF6947A0000-0x00007FF694AF1000-memory.dmp

memory/3888-127-0x00007FF61C640000-0x00007FF61C991000-memory.dmp

memory/2300-134-0x00007FF63DB90000-0x00007FF63DEE1000-memory.dmp

memory/4824-135-0x00007FF664770000-0x00007FF664AC1000-memory.dmp

memory/2852-133-0x00007FF632AA0000-0x00007FF632DF1000-memory.dmp

memory/1680-137-0x00007FF6FE730000-0x00007FF6FEA81000-memory.dmp

memory/3668-128-0x00007FF642180000-0x00007FF6424D1000-memory.dmp

memory/2532-130-0x00007FF6A1710000-0x00007FF6A1A61000-memory.dmp

memory/3668-150-0x00007FF642180000-0x00007FF6424D1000-memory.dmp

memory/3668-151-0x00007FF642180000-0x00007FF6424D1000-memory.dmp

memory/2148-208-0x00007FF6947A0000-0x00007FF694AF1000-memory.dmp

memory/2532-210-0x00007FF6A1710000-0x00007FF6A1A61000-memory.dmp

memory/5076-212-0x00007FF6F0AA0000-0x00007FF6F0DF1000-memory.dmp

memory/440-214-0x00007FF714C80000-0x00007FF714FD1000-memory.dmp

memory/2852-216-0x00007FF632AA0000-0x00007FF632DF1000-memory.dmp

memory/2300-218-0x00007FF63DB90000-0x00007FF63DEE1000-memory.dmp

memory/1812-220-0x00007FF634690000-0x00007FF6349E1000-memory.dmp

memory/4824-222-0x00007FF664770000-0x00007FF664AC1000-memory.dmp

memory/1680-224-0x00007FF6FE730000-0x00007FF6FEA81000-memory.dmp

memory/3112-226-0x00007FF6939E0000-0x00007FF693D31000-memory.dmp

memory/4268-228-0x00007FF730DE0000-0x00007FF731131000-memory.dmp

memory/2020-230-0x00007FF6F0550000-0x00007FF6F08A1000-memory.dmp

memory/820-232-0x00007FF6BD970000-0x00007FF6BDCC1000-memory.dmp

memory/1860-234-0x00007FF791DB0000-0x00007FF792101000-memory.dmp

memory/3452-239-0x00007FF611EA0000-0x00007FF6121F1000-memory.dmp

memory/4000-241-0x00007FF625BF0000-0x00007FF625F41000-memory.dmp

memory/896-242-0x00007FF75E0F0000-0x00007FF75E441000-memory.dmp

memory/1640-244-0x00007FF64A3E0000-0x00007FF64A731000-memory.dmp

memory/4168-237-0x00007FF693200000-0x00007FF693551000-memory.dmp

memory/3152-246-0x00007FF6E6360000-0x00007FF6E66B1000-memory.dmp

memory/3888-248-0x00007FF61C640000-0x00007FF61C991000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 20:45

Reported

2024-08-07 20:48

Platform

win7-20240705-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DfGexrZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jagsQZO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LlToKnI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PcNtlnF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MgaWYvl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WCaHcGE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dFiKvqq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oHetrLN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xtGiAOO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\otlDeAF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KgedotH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gkHBXqY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OEoWvcW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rZfsyZY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\enVsYLm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qgcORui.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rDreWbx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bZzcaMg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UJjNtqb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uXmRCHH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pQamAyj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rDreWbx.exe
PID 2684 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rDreWbx.exe
PID 2684 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rDreWbx.exe
PID 2684 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgedotH.exe
PID 2684 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgedotH.exe
PID 2684 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgedotH.exe
PID 2684 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkHBXqY.exe
PID 2684 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkHBXqY.exe
PID 2684 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkHBXqY.exe
PID 2684 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DfGexrZ.exe
PID 2684 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DfGexrZ.exe
PID 2684 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DfGexrZ.exe
PID 2684 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEoWvcW.exe
PID 2684 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEoWvcW.exe
PID 2684 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEoWvcW.exe
PID 2684 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MgaWYvl.exe
PID 2684 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MgaWYvl.exe
PID 2684 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MgaWYvl.exe
PID 2684 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZzcaMg.exe
PID 2684 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZzcaMg.exe
PID 2684 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZzcaMg.exe
PID 2684 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UJjNtqb.exe
PID 2684 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UJjNtqb.exe
PID 2684 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UJjNtqb.exe
PID 2684 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WCaHcGE.exe
PID 2684 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WCaHcGE.exe
PID 2684 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WCaHcGE.exe
PID 2684 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jagsQZO.exe
PID 2684 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jagsQZO.exe
PID 2684 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jagsQZO.exe
PID 2684 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZfsyZY.exe
PID 2684 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZfsyZY.exe
PID 2684 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZfsyZY.exe
PID 2684 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\enVsYLm.exe
PID 2684 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\enVsYLm.exe
PID 2684 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\enVsYLm.exe
PID 2684 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXmRCHH.exe
PID 2684 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXmRCHH.exe
PID 2684 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXmRCHH.exe
PID 2684 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgcORui.exe
PID 2684 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgcORui.exe
PID 2684 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgcORui.exe
PID 2684 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LlToKnI.exe
PID 2684 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LlToKnI.exe
PID 2684 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LlToKnI.exe
PID 2684 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xtGiAOO.exe
PID 2684 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xtGiAOO.exe
PID 2684 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xtGiAOO.exe
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otlDeAF.exe
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otlDeAF.exe
PID 2684 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otlDeAF.exe
PID 2684 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQamAyj.exe
PID 2684 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQamAyj.exe
PID 2684 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQamAyj.exe
PID 2684 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dFiKvqq.exe
PID 2684 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dFiKvqq.exe
PID 2684 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dFiKvqq.exe
PID 2684 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcNtlnF.exe
PID 2684 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcNtlnF.exe
PID 2684 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcNtlnF.exe
PID 2684 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHetrLN.exe
PID 2684 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHetrLN.exe
PID 2684 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHetrLN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\rDreWbx.exe

C:\Windows\System\rDreWbx.exe

C:\Windows\System\KgedotH.exe

C:\Windows\System\KgedotH.exe

C:\Windows\System\gkHBXqY.exe

C:\Windows\System\gkHBXqY.exe

C:\Windows\System\DfGexrZ.exe

C:\Windows\System\DfGexrZ.exe

C:\Windows\System\OEoWvcW.exe

C:\Windows\System\OEoWvcW.exe

C:\Windows\System\MgaWYvl.exe

C:\Windows\System\MgaWYvl.exe

C:\Windows\System\bZzcaMg.exe

C:\Windows\System\bZzcaMg.exe

C:\Windows\System\UJjNtqb.exe

C:\Windows\System\UJjNtqb.exe

C:\Windows\System\WCaHcGE.exe

C:\Windows\System\WCaHcGE.exe

C:\Windows\System\jagsQZO.exe

C:\Windows\System\jagsQZO.exe

C:\Windows\System\rZfsyZY.exe

C:\Windows\System\rZfsyZY.exe

C:\Windows\System\enVsYLm.exe

C:\Windows\System\enVsYLm.exe

C:\Windows\System\uXmRCHH.exe

C:\Windows\System\uXmRCHH.exe

C:\Windows\System\qgcORui.exe

C:\Windows\System\qgcORui.exe

C:\Windows\System\LlToKnI.exe

C:\Windows\System\LlToKnI.exe

C:\Windows\System\xtGiAOO.exe

C:\Windows\System\xtGiAOO.exe

C:\Windows\System\otlDeAF.exe

C:\Windows\System\otlDeAF.exe

C:\Windows\System\pQamAyj.exe

C:\Windows\System\pQamAyj.exe

C:\Windows\System\dFiKvqq.exe

C:\Windows\System\dFiKvqq.exe

C:\Windows\System\PcNtlnF.exe

C:\Windows\System\PcNtlnF.exe

C:\Windows\System\oHetrLN.exe

C:\Windows\System\oHetrLN.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2684-0-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2684-1-0x0000000000090000-0x00000000000A0000-memory.dmp

\Windows\system\rDreWbx.exe

MD5 94f9e8681896040fe052c2b6774b6d39
SHA1 9cc638d6a6d0c3549f213bd30faf5ee003d4bd36
SHA256 bd2f1e4fe0c5d6d85fdfc314a40292dd9563c341a3848ea629a4e0e092dde2fa
SHA512 d7724887638545e2cd83fd201ce943691eb231e8be8cc9676b88bd1b3d1ba137956a245c177a591a018c592ae72b62898567ca1b1fd79e3e7d439179d7fdeadf

C:\Windows\system\KgedotH.exe

MD5 7dce01c238d782a548ad2a27441e00c0
SHA1 cc1ed97be0ed9ba95efbe669aedbb28be6f2fe3b
SHA256 411f3a1828a1e85b8a3d0beacae536c39dc0c86bf927b1467c47548ba0e551f9
SHA512 13df6385ebac53f0b2b7a7994cdce41764442a8951fa744ae9e086480242bb4830fb378e317bc135325d65604570950ecade1ce3e5ee47bb2c6116b2aa54fb31

\Windows\system\DfGexrZ.exe

MD5 faded8c1a7231a672e5575fa62e868f1
SHA1 5f2df030f7d6864ec0b4641b55cd8fdffcf2e5fa
SHA256 6b324a815359797bf7d4cee45ce739a89ed8f99df8db70c1e51154d7b5b9471c
SHA512 01d42e72d57df2e8501445b530212436f013d93638bada2119de33d61eb0a3b34e1b1d84cd0ebb85d7226e26f236d245310b729df70db80780f2efdd29c88782

C:\Windows\system\OEoWvcW.exe

MD5 977cb2b59d316bef11d5b728ea694873
SHA1 4e4e0acebae7e871d7cb2757c5ccefee72c748d1
SHA256 a119df5c0c200e7ca54cfb46bf0977451e18911bd2a3bd1c126164a3df485970
SHA512 1db6220fe1be112ed35f18069460d45c5166c81675ec145c1560e6f0594978e7d90e6bd228a71025927ea55c2f6f424121ca0d463e292ce828c3a1dc3c6dab32

C:\Windows\system\MgaWYvl.exe

MD5 b303228bad6882329fd7c41a51acfc4f
SHA1 4f97b804678a08ddd490b50dc429e14ef75a7914
SHA256 b6efeab105c8d8acd68018a5681d14e4641dd44221ce49cd1a14aa4fc64b1c6b
SHA512 d9225978f034db5b0a09afccfe4d02a01295bcecdd19d9d6e31d87f2cd21fbd152714e64255e7a7befbbcffd9081f41ba37ba68d553d7bb3f300392fda2a7ce9

\Windows\system\bZzcaMg.exe

MD5 2515ccba41d950f2bfc9d7d98334d44f
SHA1 2049e40b65d8fe4df7a85b095fcb2fb95bd4be41
SHA256 925aa1b31c78e56ffa640b129553be1302cca3f22e9d9e40fab165cd807a94af
SHA512 350889bdd5843aa931eafdd916001e3fe98fb1e5909f3995da1dc5becb2073c45687318277d101d4fed26232e868ccc83da3766bee1a350d511632fcf6daa9ed

C:\Windows\system\UJjNtqb.exe

MD5 513242886bdb1e7d990e889b653b08b4
SHA1 f8cf1496a8bc494bfc91358432693dd00adb2353
SHA256 26a3764384240ff809fac45c8f770433aeb1dc3d5476e4dbe382ebc62645d1d7
SHA512 62df2ee048276df7362975aeebfca844fbb94e39d31b60eeb99ea63e8b04724760a6a677816e549d9124d8a9b3f469502e64bb9bef24990120f3a5c5fb6f578a

C:\Windows\system\WCaHcGE.exe

MD5 48a8d57cef6736ef22604d053b72dcbe
SHA1 16d5355b581018d3e0541abddec69f941b9aa83a
SHA256 85b3f7c3106f4b0e52349d6c2373610390bbfc1c5b1cdce0b47247e183c30751
SHA512 c58a697d65f34aef82c394e628553c4cdbb43fa26055a64854b050525ed8a2f99cf16f4093fbaa1929ec2e14545c3f98933c6d4a60e227e61ba8f03075092f06

C:\Windows\system\rZfsyZY.exe

MD5 8fd3e2b1a25a35a546f8b9ecd31b75ca
SHA1 02c2614d5870ebed2adfc4fcfd3686194b4a3bb9
SHA256 2e56812e4485bb59f58abfe9c86980247ea9753f53909435a9473d804d2a6873
SHA512 39914ff02297f41a687a0c1d8d78696ea20c355e572ab8ceb5dda47fc40f3fa428d73006433740087ca693e4ab4c885b68cb0a14cb67629a2b5ceb90b515c1e0

C:\Windows\system\uXmRCHH.exe

MD5 864578222c85c3c81f6914a1a463468b
SHA1 67a3386d011dcef8b35a3879403497f8c1a0697c
SHA256 5ac5cd7dcc701bc706280b2f6241ddcb4faf5a50908ddd907df5f07bde36120e
SHA512 e5fd22a5853aada4d47439000e3fd5ddffcc24ef73227db257d05c6cf40e24e8ee2c26bb78dc39693f2a6c19c06f13f770d22dc15cbe9af05a929e5806d08fd2

C:\Windows\system\xtGiAOO.exe

MD5 315fcfa3d183de56e8b74cb52db8a9d4
SHA1 fd7fad7fbedac743fe9793c4b4d68f8dda925b37
SHA256 13c672cd700fb3008956586e359220e53630c43129c7d5bd9a2df1e1a8136c19
SHA512 b32f14b99ee28e5fa2dee89abc72952beb8f07ae63c462bc23cd6fe9321a33db86087579d8de376e5e569bbfbeaf007528eee15aba8f4e9d281bc6d159cb264b

C:\Windows\system\oHetrLN.exe

MD5 ff4d7829df74fee3e31035d0355fdf12
SHA1 0890b254165c65d2d0c1e509bd4b8d2f9f7b165f
SHA256 800d218784ddff13f9f1cb11a96a2fcb33e2dfb4a65dbed8c7fba99f8f205b83
SHA512 e2d27754fc7639f15852841d8ffad655607c8f77b6bfb02171cf11c71fd56b749f1f41da59a15d76b5cb5d5f03ac37c6aeb2ed561c10f7b21360e3ce9f4f5c69

C:\Windows\system\PcNtlnF.exe

MD5 482f9f4f9818e1b9683bb59949aa9dc8
SHA1 cdf47c6e7e4ae187bc89fbdca41d0c54ad14b311
SHA256 d1686f47c4f21f508cb8985d64dabab1bee2f29668d9ff9b7d5c9d0603c5f08b
SHA512 e421e606cb1610d20dc98565cd742a6b5eef4267a184bdcfff4e1a2e124a549d03349f5aee0524df643f8da7cdf5fa798eb7d807ff2423b0037de11206e6da00

C:\Windows\system\dFiKvqq.exe

MD5 d1ffe2edac9ddd9ac34488898964541e
SHA1 65884b1d1328291602cb4d7720cfbee1ba8ee82b
SHA256 f042e104b933dadaeb3696dd961489a8314ae4ae92cba2dcbebc2a1a17bff17c
SHA512 737422cf6a85bae93388a41f42f59c207767f2b384ddda30219c05f305e40e970af8b53e6f458623242864e2db7def172e666c04ba48861c1bfc591818483fd5

C:\Windows\system\pQamAyj.exe

MD5 b9f3fc969e3e90416496cad59e8624fc
SHA1 30abea7afcd8e43a7010bc4044e4ba4b257b38d6
SHA256 d7384023dd1f6ea2124b47cc6282af0225b5ab1999a8b65d6a65db68499c3c33
SHA512 d883b89151c14a294c99bb4e2bc644cfd613fd54297b3e5125c6168eb9964ca1d1714e5c54724c1bc59ac388e56e4ac65ebc3694eb001e6d0650eb33410421aa

C:\Windows\system\otlDeAF.exe

MD5 13c28dbffac2be4a694f8ff9784af630
SHA1 9515187848e5d05ef1222d126cc66e42f74545ee
SHA256 50b270f75b6c5c5b27267092bf27b8095ad32c306bd730103330652bedb3f626
SHA512 1facbaa9d620356463e5d9860e85f5ea614ff192b78e4f9e09ee73cf0dbe6169d9c81f220ab0efbbefdd9f1f5a0bb8288d6132b67a442c96b6c14fc8d4144c1a

memory/2896-125-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2684-128-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2516-127-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2684-126-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2684-124-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2720-123-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2684-122-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2456-121-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2708-120-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2684-119-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2832-118-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2816-117-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2744-116-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2008-115-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2684-114-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2220-113-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2576-112-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/1196-111-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2684-110-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1184-109-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2148-108-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2684-107-0x00000000022C0000-0x0000000002611000-memory.dmp

C:\Windows\system\LlToKnI.exe

MD5 eebc6935c32c9ab68154b01d080de08d
SHA1 bb5efcec91ffb92fa36fac4527a8773939f4f8cf
SHA256 814d673bc71d76de619f1509c1be2767b916f567f43e0187441e052ca7ab36d8
SHA512 b222cf81579513a9396e2fde3a7319646923f03925e11447b25b3799dcce6702cfd09c02e408adabd109f9b5f59b1f4fa588a5d74e4b9fa04be81c414e871e0b

C:\Windows\system\qgcORui.exe

MD5 fa62c194fc1d07d1f85210e9400be9da
SHA1 b34a54bca9a3e76cb7df53d32022ac1a88aaebe8
SHA256 73817f7f5a8315ae19ac8e0355f09237256a0734b29362d8c6c97b9e31f1fa55
SHA512 399f3c2a02acf55aa153fabe95ad7798bd47dcd3bdcf1e8d3a756f5cefca223d5ea07538414073559580661de9b732281fca1b0d2ff3d034c57078f3af2adfcb

C:\Windows\system\enVsYLm.exe

MD5 49043d3c192727315d4f7b5c6ad7af14
SHA1 245ee0bf7cbccf826c30962ef352f9a9a65c9e32
SHA256 58b8831596f632d757b5aee54d74bee689e5f236af06178ed80af53f4c27c32d
SHA512 c87c0d41a7d87165d0d6b6a8b363feb9a29c7efe1ecd6a330ae9c4d5b790f3aeb2e944dad2cf48e50c216d7d775f7c3bd9487e4311452031e8ef3c34fb0842fe

C:\Windows\system\jagsQZO.exe

MD5 5a076b0d86a9a47c0c9fb019d8630d7c
SHA1 f53faeb59b6e8a8375aef6ca5308def294cecfc9
SHA256 935cf05b63ce6716dc5ca8e247cd21fb4c4fcaf0d0bb2abedabfd279177dfff6
SHA512 b814f7acd833ae345f95192893c493a3fb3371101f81e377aa615a459cda191d899cac3014a0ae9348706b8fbaefe5b2b7fd8d65b4021f6b1dc4ce224e3f2516

C:\Windows\system\gkHBXqY.exe

MD5 7642514366c7b9b7412ab58993a10384
SHA1 c3a8e3c2404277ae5bd1c631c2280582b7342c25
SHA256 8393ec04ae9b390efa2786684d77b53f62e3847b9eec4fa4fbb73e1e9f9740c8
SHA512 0f417c35f38d926e457f14630aa90d9ba35055befb75ec1d4f441056073e9a62b909390e2ceb41b9013e6c82424d07a657552df70f7bc7b4ff67873c131894a0

memory/2768-145-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2684-129-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2160-149-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2072-150-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2676-148-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2612-147-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2796-146-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2972-144-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2684-151-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2684-173-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2516-212-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2720-224-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2708-222-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2816-220-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2576-216-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2008-218-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2148-215-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/1184-230-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2744-236-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2896-242-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2832-240-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2456-238-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2220-234-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/1196-232-0x000000013FC90000-0x000000013FFE1000-memory.dmp